We're behind some kind of Cisco routers, and have to connect via the Cisco NAC Agent. The tech support here at my university tell me that if I connect a router "the whole building will lose internet access." I find this really hard to believe, and I'd like to know: 1. Can they tell if I'm using a router and 2. How could they even tell if the router is using NAT?

This question came from our site for Information security professionals.

2

I don't think it was a 'threat'. I suspect their network, like many others, can't handle a second DHCP server (such as a typical router) suddenly appearing on the network.
–
RushyoJan 17 '11 at 11:36

3 answers, with 10 votes but no one upvoted the question; people need to use the upvote more often :) +1 Upvote. In my room I am using a wireless router that is connected to the University Network via ethernet. Ethernet is connected to the WAN port. No problems so far. And I connected a Macbook and an ipod at the same time. I think the key problem you could have is if you don't use the WAN port. But if you use the WAN port you should be fine. Try it.
–
NerianJan 19 '11 at 15:46

4

I doubt it will bring down the entire network, its just a warning so they can legitimately blame you for any issues if you do go against their warning and policy. No reason to run a router in a dorm, just use a dumb switch if you need more ports.
–
MoabJan 19 '11 at 16:16

Are you trying to avoid buying another device? If you have a 4-port DSL or wireless "router", understand that such devices are really switches plus routers. If you disable DHCP on the device, you can plug your school Internet connection into a LAN port, and your other devices into a LAN port, and use it as a switch. Plug nothing into the WAN port.
–
ultrasawbladeApr 27 '11 at 18:31

5 Answers
5

Adding to PulpSpy's (correct) answer, it's also possible to detect routers (NAT or not) by looking at the TTL field of outgoing IP packets. End stations usually set TTL to a known number, such as 64, 254, or a few other alternatives depending on the OS. When a majority of packets are one less than this, such as 63 and so on, it indicates there was a router hop in between.

This can be circumvented by resetting the TTL on the router.
–
Bogdan MaximJan 12 '12 at 5:36

@Bogdan Sure. Not many home routers have that capability though, and it breaks IP specs. And then of course they could deploy DPI and catch you by seeing varying HTTP User Agent headers, and a million other ways. :)
–
Jakob BorgJan 12 '12 at 13:20

Yes they probably can tell. NAT routing will reassign all the port numbers to keep which traffic originated from which computer straight. As a result your traffic will look strange and when more than one computer are connected, they will typically be on adjacent ports. It wouldn't be proof, but enough to attract attention if they were specifically screening for it.

I find it hard to believe that the network architects at a university would leave themselves vulnerable to a TOTAL network failure, in the event that a student jacks a router into his dorm room socket. The chance that a student might try such a thing is pretty high (witness this post, for example).

The Occam's razor answer, is that the tech-support guy probably was just trying to scare you, rather than say he just didn't know.

What's more, in a peer-to-peer architecture (unlike, say, SNA where you CAN trash the whole network by pretending to be the NCP), the likelihood of something like a device conflict causing complete network failure is pretty low. It COULD BE that your router would somehow be given (or you define it yourself) the SAME ip address of one of the dorm building's own distribution hubs, but it also COULD BE that an asteroid would hit your building.

But let's assume it does happen: as long as the cisco router doesn't get rebooted, nothing happens, and your router just complains that it can't get a proper connection. Also, the cisco router would probably report the duplicate IP collision in a log somewhere (which operators or network admins would notice).